There’s an update for Async Javascript that needs your urgent attention. Update asap!
[Update] I was warned by WordFence about a vulnerability in Async JavaScript that was being actively exploited. Based on their input I updated the plugin to fix the bug. WordFence in the meantime published a post about this and other affected plugins and with regard to AsyncJS writes:
Async JavaScript’s settings are modified via calls to
wp-admin/admin-ajax.phpwith the actionaj_steps. This AJAX action is registered only for authenticated users, but no capabilities checks are made. Because of this, low-privilege users including Subscribers can modify the plugin’s settings.
Similar to Flexible Checkout Fields above, certain setting values can be injected with a crafted payload to execute malicious JavaScript when a WordPress administrator views certain areas of their dashboard.